Doubts about firewall Cisco PIX as VPN termination device

Eric Vyncke evyncke at CISCO.COM
Wed Jan 17 16:24:54 EST 2001

[Notice my bias by looking at my email address]

Comments in-line

At 09:51 17/01/01 -0200, Venicio Vilas-Bôas wrote:
>     We have a firewall Cisco PIX. We would like to implement remote
>access. I read at FAQs that " by doing VPN on an existing firewall, you add
>some intense processing to a device whose original purpose was simply
>speaking, to control network access" and I also read that " because of
>security reasons we don't recommend to use the PIX as VPN termination
>device"  Then  I have some doubts:

No doubts that I wonder where you found this information. A lot of
customers are using PIX has a VPN termination point.

>1 ) Can I use or not firewall Cisco PIX as VPN termination device ? What is
>the security reasons for not using firewall Cisco PIX as a VPN termination
>device ?
>2) How many VPN sessions a firewall Cisco PIX support ?

If you call an IPSec tunnel (towards a single IKE peer) a VPN session,
it depends on the exact model of the PIX and whether you are using
hardware crypto. You may go up to 2000 tunnels (even more with HW).

>3 ) I have a documentation from Cisco denominated "An introduction to IP
>Security (IPSec) Encryption" , which shows how configure firewall IKE. This
>documentation permits configure ISAKMP SA using pre-shared Keys or CA. I
>would like to know  whether this documentation is enough for configure
>firewall Cisco PIX  as a VPN trermination device or I need another
>documentation ?

Most probably. You may also want to learn more about IPSec to understand
its concepts (like PFS, ...) and mechanisms (this statement obviously
is applicable to any security technology/device/vendor).

>4 ) What differences among using firewall Cisco PIX and Cisco CVPN 3005 as
>VPN termination devices?

Main differences are:
- PIX: is a complete firewall with full auditing, inspection and some IDS
- VPN 3000: has only packet filtering firewalling, but is optimized 
  (regarding centralized configuration and performance) to handle several
  1.000's of remote users (read IPSec enabled mobile PC).

Hope this helps


>I am look forward to hearing from you and thank you in advance for your
>VPN is sponsored by SecurityFocus.COM 

Eric Vyncke                        
Distinguished Engineer             Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at          Mobile: +32-475-312.458
PGP Key available on request       MOBILE HAS CHANGED ON 11th November 2000

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list